Skip to content

Commit

Permalink
initial thoughts
Browse files Browse the repository at this point in the history
  • Loading branch information
@karencfv
karencfv committed Feb 26, 2024
1 parent b6d39a0 commit e2dc566
Show file tree
Hide file tree
Showing 3 changed files with 165 additions and 96 deletions.
12 changes: 12 additions & 0 deletions package-manifest.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -273,6 +273,18 @@ output.type = "zone"
[package.ntp]
service_name = "ntp"
only_for_targets.image = "standard"
source.type = "composite"
source.packages = [
"ntp-svc.tar.gz",
"opte-interface-setup.tar.gz",
"zone-network-setup.tar.gz",
"zone-network-install.tar.gz"
]
output.type = "zone"

[package.ntp-svc]
service_name = "ntp-svc"
only_for_targets.image = "standard"
source.type = "local"
source.paths = [
{ from = "smf/ntp/manifest", to = "/var/svc/manifest/site/ntp" },
Expand Down
68 changes: 67 additions & 1 deletion sled-agent/src/services.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1162,7 +1162,8 @@ impl ServiceManager {
zone_args.omicron_type(),
Some(OmicronZoneType::ExternalDns { .. })
| Some(OmicronZoneType::Nexus { .. })
| Some(OmicronZoneType::BoundaryNtp { .. })
| Some(OmicronZoneType::BoundaryNtp { .. }) // TODO: Add if necessary
// | Some(OmicronZoneType::InternalNtp { .. })
) {
return Ok(vec![]);
}
Expand Down Expand Up @@ -1937,6 +1938,69 @@ impl ServiceManager {
})?;
return Ok(RunningZone::boot(installed_zone).await?);
}
ZoneArgs::Omicron(OmicronZoneConfigLocal {
zone:
OmicronZoneConfig {
zone_type: OmicronZoneType::BoundaryNtp { .. },
underlay_address,
..
},
..
})
| ZoneArgs::Omicron(OmicronZoneConfigLocal {
zone:
OmicronZoneConfig {
zone_type: OmicronZoneType::InternalNtp { .. },
underlay_address,
..
},
..
}) => {
let Some(info) = self.inner.sled_info.get() else {
return Err(Error::SledAgentNotReady);
};

let static_addr = underlay_address.to_string();

let nw_setup_service = Self::zone_network_setup_install(
info,
&installed_zone,
&static_addr.clone(),
)?;

// Boundary NTP requires to be reachable externally but internal NTP does not
// TODO: Currently this is a service that the NTP service depends on,
// but it shouldn't be if this is an internal NTP zone. Figure out how to
// handle this in a better way.
let opte_interface_setup =
Self::opte_interface_set_up_install(&installed_zone)?;

let ntp_config = PropertyGroupBuilder::new("config")
.add_property("file", "astring", "todo!()")
.add_property("server", "astring", "todo!()")
.add_property("allow", "astring", "todo!()")
.add_property("boundary", "boolean", "todo!()");
let ntp_service = ServiceBuilder::new("oxide/ntp")
.add_instance(
ServiceInstanceBuilder::new("default")
.add_property_group(ntp_config),
);

let profile = ProfileBuilder::new("omicron")
.add_service(nw_setup_service)
// TODO: perhaps only add the service if it's a boundary ntp?
// But then I can't make the service depend on it (≖_≖ )
.add_service(opte_interface_setup)
.add_service(disabled_ssh_service)
.add_service(ntp_service);
profile
.add_to_zone(&self.inner.log, &installed_zone)
.await
.map_err(|err| {
Error::io("Failed to setup External DNS profile", err)
})?;
return Ok(RunningZone::boot(installed_zone).await?);
}
_ => {}
}

Expand Down Expand Up @@ -2251,6 +2315,7 @@ impl ServiceManager {
// service is enabled.
smfh.refresh()?;
}
// TODO: Remove this section once implemented
OmicronZoneType::BoundaryNtp {
ntp_servers,
dns_servers,
Expand Down Expand Up @@ -2281,6 +2346,7 @@ impl ServiceManager {
return Err(Error::SledAgentNotReady);
};

// TODO: Left off here
let rack_net = Ipv6Subnet::<RACK_PREFIX>::new(
sled_info.underlay_address,
)
Expand Down
181 changes: 86 additions & 95 deletions smf/ntp/manifest/manifest.xml
View file
Original file line number Diff line number Diff line change
@@ -1,105 +1,96 @@
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">

<!--
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at https://mozilla.org/MPL/2.0/.
Copyright 2023 Oxide Computer Company
Copyright 2024 Oxide Computer Company
-->
<service_bundle type="manifest"
name="ntp:default">

<service name="oxide/ntp"
type="service"
version="1">

<create_default_instance enabled="false" />

<dependency name="network"
grouping="require_any"
restart_on="error"
type="service">
<service_fmri value="svc:/network/service" />
</dependency>

<dependency name="filesystem"
grouping="require_all"
restart_on="error"
type="service">
<service_fmri value="svc:/system/filesystem/minimal" />
</dependency>

<dependency name="name-services"
grouping="optional_all"
restart_on="none"
type="service">
<service_fmri value="svc:/milestone/name-services" />
</dependency>

<dependency name="routing-setup"
grouping="optional_all"
restart_on="none"
type="service">
<service_fmri value="svc:/network/routing-setup" />
</dependency>

<!--
The service is started as root, but with only the privileges it
requires. The chrony daemon forks a privileged helper and then the
main daemon drops everything it does not need, leaving it with
completely minimal privileges (it even divests the privilege to
fork/exec).
The service also always starts the binary with ASLR enabled,
regardless of whether it was linked with -zaslr
-->
<exec_method type="method"
name="start"
exec="/var/svc/method/svc-site-ntp %m"
timeout_seconds="60">
<method_context security_flags="aslr">
<method_credential user="root"
group="root"
privileges="basic,!file_link_any,!proc_info,!proc_session,file_chown_self,file_dac_search,file_dac_write,net_privaddr,proc_lock_memory,proc_priocntl,proc_setid,sys_time" />
</method_context>
</exec_method>

<exec_method type="method"
name="refresh"
exec="/var/svc/method/svc-site-ntp %m %{restarter/contract}"
timeout_seconds="60">
</exec_method>

<exec_method type="method"
name="stop"
exec="/var/svc/method/svc-site-ntp %m %{restarter/contract}"
timeout_seconds="60" />

<property_group name="config"
type="application">
<propval name="file"
type="astring"
value="/etc/inet/chrony.conf" />
<propval name="boundary"
type="boolean"
value="false" />
<propval name="server"
type="astring"
value="" />
<propval name="allow"
type="astring"
value="" />
</property_group>

<stability value="Unstable" />

<template>
<common_name>
<loctext xml:lang="C">Network Time Protocol (NTP)</loctext>
</common_name>
</template>

</service>

<service_bundle type="manifest" name="ntp:default">

<service name="oxide/ntp" type="service" version="1">
<create_default_instance enabled="true" />

<dependency name="network" grouping="require_any" restart_on="error"
type="service">
<service_fmri value="svc:/network/service" />
</dependency>

<dependency name="filesystem" grouping="require_all" restart_on="error"
type="service">
<service_fmri value="svc:/system/filesystem/minimal" />
</dependency>

<dependency name="name-services" grouping="optional_all" restart_on="none"
type="service">
<service_fmri value="svc:/milestone/name-services" />
</dependency>

<dependency name="routing-setup" grouping="optional_all" restart_on="none"
type="service">
<service_fmri value="svc:/network/routing-setup" />
</dependency>

<dependency name='zone_network_setup' grouping='require_all' restart_on='none'
type='service'>
<service_fmri value='svc:/oxide/zone-network-setup:default' />
</dependency>

<!--
TODO: Only Boundary NTP needs the opte interface. Might have to remove this
and call the zone networking CLI direclty from the method script.
-->
<dependency name='opte_interface_setup' grouping='require_all' restart_on='none'
type='service'>
<service_fmri value='svc:/oxide/opte-interface-setup:default' />
</dependency>

<!--
The service is started as root, but with only the privileges it
requires. The chrony daemon forks a privileged helper and then the
main daemon drops everything it does not need, leaving it with
completely minimal privileges (it even divests the privilege to
fork/exec).
The service also always starts the binary with ASLR enabled,
regardless of whether it was linked with -zaslr
-->
<exec_method type="method" name="start" exec="/var/svc/method/svc-site-ntp %m"
timeout_seconds="60">
<method_context security_flags="aslr">
<method_credential user="root" group="root"
privileges="basic,!file_link_any,!proc_info,!proc_session,file_chown_self,file_dac_search,file_dac_write,net_privaddr,proc_lock_memory,proc_priocntl,proc_setid,sys_time" />
</method_context>
</exec_method>

<exec_method type="method" name="refresh"
exec="/var/svc/method/svc-site-ntp %m %{restarter/contract}" timeout_seconds="60">
</exec_method>

<exec_method type="method" name="stop"
exec="/var/svc/method/svc-site-ntp %m %{restarter/contract}"
timeout_seconds="60" />

<property_group name="config" type="application">
<propval name="file" type="astring" value="/etc/inet/chrony.conf" />
<propval name="boundary" type="boolean" value="false" />
<propval name="server" type="astring" value="" />
<propval name="allow" type="astring" value="" />
</property_group>

<stability value="Unstable" />

<template>
<common_name>
<loctext xml:lang="C">Network Time Protocol (NTP)</loctext>
</common_name>
<description>
<loctext xml:lang='C'>Oxide's External DNS Service</loctext>
</description>
</template>
</service>

</service_bundle>

0 comments on commit e2dc566

Please sign in to comment.